Set up Liberty to run in SP800-131a
We can set up Liberty to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).
SP800-131a requires longer key lengths and stronger cryptography. The specification also provides a configuration to enable users to move to a strict enforcement of SP800-131a. The configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes, transition and strict. The transition mode is offered to give user a setting to move their environment to SP800-131a strict mode. In transition mode, it is optional to use the SP800-131a required certificates and to set the protocol to SP800-131a. Strict enforcement of SP800-131a requirements on Liberty includes the following:
- The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL) context.
- Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
- ◦Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid
signatureAlgorithms include:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
Note: If SHA384withECDSA or SHA512withECDSA is used, the unrestricted policy file needs to be in place for the IBM JDK.
- SP800-131a approved Cipher suites.
Note: To configure a Liberty server to run in SP800-131a mode, users must be running with a level of the IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK include Java 6 sr 10, Java 6.0.1 sr 2, or Java 7.
For more information about the SP800-131a standard, see the National Institute of Standards and Technology.
We can configure Liberty to run in SP800-131a strict mode or transition mode as following:
- Configure Liberty to run in SP800-131a
strict mode.
- Make sure we are running on a level of the IBM JDK that supports SP800-131a.
- Make sure that certificates of the server meet the criteria for SP800-131a.
- Certificates have a minimum length of 2048 and Ellipical Curve (EC) certificates have a minimum size of 244-bit curve.
- Certificates are signed with at least SHA256 or signed with one of the signature algorithms listed previously.
- Configure your SSL Configuration to use the TLSv1.2 protocol.
See Enable SSL communication in Liberty and SSL configuration attributes for more details.
- When using collectives, if the sslProtocol is updated, two configuration changes must be made:
- ${wlp.install.dir}/etc/server.env must specify the -Dhttps.protocols property in order for the ${wlp.install.dir}/bin/collective utility to successfully communicate with the controller.
For example:
JVM_ARGS=-Dhttps.protocols=TLSv1.2
- ${wlp.install.dir}/etc/server.env must specify the -Dhttps.protocols property in order for the ${wlp.install.dir}/bin/collective utility to successfully communicate with the controller.
- Each internal collective replication ssl id must be updated with the desired protocol.
For Example:
<ssl id="controllerConnectionConfig" sslProtocol="TLSv1.2"/>
<ssl id="memberConnectionConfig" sslProtocol="TLSv1.2"/>
See Liberty environment variables for how to set system properties in the jvm.options file.
- Make sure we are running a level of the IBM JDK that support SP800-131a.
- Optional: If Elliptical Curve (EC) ciphers are required, list them in the enabledCiphers attribute. EC ciphers are not included when cipher lists are generated using the securityLevel attribute of the SSL Configuration. For the full list of ciphers, see the Java Technology Security information.
- The JSSE is enabled to run in SP800-131a transition mode by setting the system property
com.ibm.jsse2.sp800-131 to transition. For example,
-Dcom.ibm.jsse2.sp800-131=transition.
See Liberty environment variables for how to set system properties in the jvm.options file.
Note: If we change your protocol to use TLSv1.2, make sure that your browser supports TLSv1.2.